Threat Entry Updated 2024-11-21

CVE-2021-24443 - Membership Plugin

The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example.

PLUGIN Membership

CVE-2021-24443

MEDIUM CVSS 5.4 2021-08-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24306 - Membership Plugin

The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the related logged in user open a malicious link.

PLUGIN Membership

CVE-2021-24306

MEDIUM CVSS 5.4 2021-05-24

Risk Score

Open Full Technical Breakdown